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NETWORK DATA PACKET CLASSIFICATION AND DEMULTIPLEXING 



FTF.LD OF THE INVENTION 



3 
4 
5 
6 



The present invention is directed to the field of packet 
communication. It is more particularly directed to 
classification and demultiplexing of network communication 
packets processed in a network protocol stack. 



7 BACKGROUND OF THE INVENTION 

| communication over a network often requires the information that 

l | is to be transported from one computer to another be divided into 

18 network communication packets. These network communication 

t| packets, simply referred to as "packets", are transported across 

If the physical communication network. 

ll The information originating from an application program becomes 

|J packetized into network communication packets by passing through 

f| various software components before arriving at the network 

\| interface card for transmission on the physical communications 

17 network. These software components are typically layered to form 

18 what is known as the network protocol stack. Each layer is 

19 responsible for a different facet of communication. For example, 

20 the TCP/IP protocol stack is normally split into four layers: 

21 link, network, transport and application. Figure 1 shows the 

22 relationship between the protocol layers and the TCP/IP protocol 

23 stack. The link layer 101 is responsible for placing data on the 
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1 physical network. The network layer 102 is responsible for 

2 routing. The transport layer 103 is responsible for the 

3 communication between two hosts. The application layer 104 is 

4 responsible for processing the application specific data. 

5 For example, Figure 2 illustrates the stages of an HTTP request 

6 being encapsulated before being sent to a web server. As the 

7 request descends the protocol stack, each layer 201-204 

8 encapsulates the packet adding its own header. When the HTTP 

9 packet arrives at the destination address, each protocol layer 

10 uses information within its header to classify the incoming 

11 packet amongst all the protocols in the layer above it. This 

12 process is commonly referred to as demultiplexing. 

ll At each layer in the network protocol stack, the packet is 

If demultiplexed or "classified" based on information about the 

ll packet that is contained in the headers or from information 

ig inside the data portion of the packet itself. The packet is 

17 processed differently based on its classification. 



IS 



For example, Figure 3 illustrates how this classification is done 
for an incoming HTTP request 301. The Ethernet driver 302, in 
|i the link layer 300, classifies the packet based on frame type in 

21 the Ethernet header and passes it to IPv4 312 in the network 

22 layer 310. IPv4 312 classifies the packet based on the IP header 

23 protocol value in the IP header and passes it to TCP 323 in the 

24 transport layer 320. TCP classifies the packet based on the 

25 destination port number in the TCP header and passes it to the 

26 HTTP server 332 in the application layer 330. 



2 
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1 Traditional packet classification systems, as found in BPF, DPF, 

2 Pathfinder, Router Plugins, operating systems and many firewalls, 

3 are limited to a set of fixed pattern matching rules. This 

4 allows a user to intercept/process any packet that matches the 

5 desired set of values in the appropriate byte ranges (usually a 

6 combination of the IP and the protocol header fields, such as 

7 source/destination address, protocol or source/destination 

8 ports) . These packets are then passed to a software module that 

9 processes the packets and can modify, forward, drop or delay 

10 them. Stateful packet filtering systems generally have the 

11 ability to generate and add rules dynamically based on 

12 application traffic. However, such systems do not provide simple 

13 methods to extend packet processing to understand new application 
f4 protocols. 

II These traditional systems may work well for applications that use 

U a single connection to a well known destination address and port. 

fj However, many modern applications initially use a well known 

18 service port for the control session and then use additional 

M connections on ephemeral port numbers for each data stream. 

%i Examples of such applications are FTP, Real Audio and H.323. To 

support these applications efficiently, the traditional systems 

B must allow packet matching filter rules to be updated dynamically 

23 and quickly. In addition, some modern protocols have abandoned 

24 using fixed format headers and fixed sized fields. For example, 

25 HTTP makes its header human readable by encoding them as 

26 strings. 

27 SUMMARY OF THE INVENTION 
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1 It is thus an aspect of the present invention to provide greater 

2 flexibility in classifying and demultiplexing packets in the 

3 network protocol stack. As a result, it provides a method for 

4 application level classification. This is due to classifying 

5 techniques and a modular structure described subsequently. 

6 Another aspect of the present invention provides easier 

7 extendibility for packet processing in the network protocol stack 

8 by defining a standard method for adding new functionality or 

9 support for new protocols and applications. 

10 Another aspect of the present invention provides methods and 

11 apparatus to obtain external information, from an application 



16 

ti 

18 



scheduled outside of the forwarding or interrupt context of the 
kernel, in order to augment packet classification and/or 



m 

II disposition. 



An example embodiment of the present invention is a method for 
classifying a data packet. The method includes the steps of: 
receiving the packet at a root node of a classification tree; 
passing the packet to a first child node of a first tree level of 



IS the classification tree indicating a satisfaction of a 



node-criteria of the first child node; the first child node 



21 forming the data packet into a matched packet; and repeating the 

22 step of passing and forming for a next tree level until no first 

23 child node of the next level at a succeeding next level indicates 

24 satisfaction of the node-criteria of the first child node of the 



25 next level. 



4 



DOCKET NUMBER: YOR9-2000-0185-US1 



1 In some embodiments the step of indicating includes the step of 

2 executing a set of code which returns a status indication of the 

3 type; and/or the step of indicating satisfaction of a criteria 

4 includes the steps of executing a set of code which identifies 

5 the desired packet and returning a status indication; and/or the 

6 step of forming the data packet into a matched packet includes 

7 the step of indicating satisfaction; and/or the step of repeating 

8 the step of passing and the step forming includes the steps of 

9 indicating and returning a status indication of NO_Match. 



In some embodiments of the method, the method further includes: 
the step of adding at least one new child node; and/or one new 
child node is a Real Audio node; and/or the method is extendible 
such that one or more nodes are dynamically added at any level; 
parsing the matched packet and generating relevant information; 
transforming the matched packet into a transformed packet; and/or 
associating the packet at a last first child node indicating 
satisfaction; executing a set of code in accordance with the last 
first child node; and/or the step of forming includes the first 
child node specifying a set of code to be run subsequently; 
and/or the step specifying specifies the set of code to be run 



Another example embodiment of the present invention is a method 
which uses an external process for classifying a packet. This 
method includes the steps of suspending a classification process 
in progress for the packet, and obtaining external information 
employed in the classifying. This is performed by an 
application scheduled outside of the forwarding or interrupt 



5 



DOCKET NUMBER: YOR9-2000-0185-US1 



1 In some embodiments of the method, the step of suspending 

2 includes the steps of queuing any data, including information 

3 about the packet or its present classification; and/or 

4 transferring said data to an application that is scheduled 

5 outside of the forwarding or interrupt context of the kernel. 

6 In some embodiments of the method, the step of obtaining external 

7 information includes augmenting a node-criteria of a node in a 

8 classification tree with additional information; and/or the 

9 external information includes authentication of an originator of 

10 the packet; the classification process is an extendible 

11 classifier process (In one application, a process is extendible 
f| by adding a new child node) ; and/or the step of specifying 

ll includes enforcement of a site policy. A site policy is 

|| composed of a number of different aspects including security. 

|S The security aspect of a site policy may be based on packet 

16 classification and authentication information. 

11 Another aspect of the present invention is a method for 

|8 determining disposition of an original packet received at a child 

|i node. The method includes the step of passing the original 

H packet and a first disposition of the original packet to an 

21 external process, and the external process augmenting the 

22 original packet and/or augmenting the first disposition by 

23 employing a process specific means and returning an augmented 

24 packet and an augmented disposition to the child node. Some 

25 embodiments of the method include suspending a disposition 

26 process in progress for the original packet; and/or the augmented 

6 
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disposition includes identification of and/or authentication of 
an originator of said packet. 



3 BRIEF DESCRIPTION OF THE DRAWINGS 

4 These and other aspects, features, and advantages of the present 

5 invention will become apparent upon further consideration of the 

6 following detailed description of the invention when read in 

7 conjunction with the drawing figures, in which: 

8 Fig. 1 shows the relationship between the protocol layers and the 

9 TCP/IP protocol stack; 

la Fig. 2 illustrates the stages of an HTTP request being 

|J encapsulated before being sent to a web server; 



12 
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Fig. 3 illustrates how classifying is done for an incoming HTTP 



13 request; 

14 Fig. 4 shows an example of how to organize modules in the 

W classification tree in accordance with the present invention; 

iT 1 

16 Fig. 5 shows an example of a packet classification and 



demultiplexing process in classifying a packet in accordance with 



18 the present invention; 

19 Fig. 6 shows an example of steps to determine the packet 

20 disposition in accordance with the present invention; 
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1 Fig. 7 shows an example of pm_t return codes in accordance with 

2 the present invention; 

3 Fig. 8 shows an example of application dependent nodes in 

4 accordance with the present invention; 

5 Fig. 9 shows an example of pp_t return codes in accordance with 

6 the present invention; 

7 Fig. 10 shows an example of paction_t return codes in accordance 

8 with the present invention; and 

9 Fig. 11 shows an example of an apparatus in accordance with the 
{€( present invention. 

f| DETAILED DESCRIPTION OF THE INVENTION 

|2 Networking protocols are normally divided into layers which are 

11 responsible for different facets of communication as Figure 1 

p\ depicts for the network layers of the TCP/IP protocol. The 

U associated call graph created by the standard UNIX protocol stack 

il is arranged like a tree as described for Figure 3. Each level of 

17 the tree corresponds to a different layer in the networking 

18 protocol stack. The present invention mimics the call graph of 

19 the UNIX protocol stack and organizes the different modules 

20 competing for packets at the IP layer in a tree structure herein 

21 referred to as a classification tree. 
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1 An example of a classification tree 400 is shown in Figure 4. 

2 Figure 4 shows each node in the classification tree as a separate 

3 module. In an embodiment of the present invention each node is 

4 composed of 4 packet traversal functions (matcher, preprocessor, 

5 action, and post processing) and 3 node management functions 

6 (callback, heartbeat and management) . Only the packet matching 

7 function, which identifies the packets to process, and the packet 

8 action function, which determines the packet disposition, are 

9 required. The packet matching function is herein referred to as 

10 the node-criteria of the node. The remaining traversal and 

11 management function pointers can default to NULL. These 

12 functions associated with each node are stored in a PacketFilter 

13 structure. 

t. Ji 

li Since each of the nodes is a separate dynamically loadable 

JI module, the classification tree organization is flexible. In an 

16 embodiment of the present invention, the modules are loaded into 

0 memory during the initialization process. Based upon 

18 configuration information the modules are then arranged to form a 

W classification tree. The ordering of the modules is important 

fe& since the packet traversal is governed by this ordering. As the 

y classification tree is created, each node is initialized by 

SI executing a set of code. In the embodiment, this set of code is 

23 a function referred to as the management function (mm) . The input 

24 parameter to the mm function is generally a single pointer to a 

25 buffer containing the node specific configuration data. 

26 Figure 4 shows an example of how to organize modules in the 

27 classification tree. The IPv4 503, IPv6 504, UDP 506, HTTP 507 

28 and TCP 508 modules each wish to observe or modify packets that 

9 
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1 use the protocol for which they are named. However, in this 

2 example, there are multiple ways one could imagine wanting to 

3 process HTTP requests. These ways include: providing a 

4 transparent HTTP proxy function, using a specialized TCP for HTTP 

5 like Transaction TCP(T/TCP), doing content filtering based on 

6 site policy, or limiting packet traffic based on a service 

7 contract. Depending on the intended purpose of the 

8 classification tree, differing modules are loaded into memory. A 

9 site policy is composed of a number of different aspects 

10 including security. The security aspect of a site policy may be 

11 based on packet classification and authentication information. 

12 Once initialization completes, the classification tree may be 

13 modified by adding, deleting or moving a node. This, ability of 
f| modifying the classification tree makes the packet classification 
|S process extendible. 

!# The present invention includes methods for implementing a packet 

fl classification process and/or an augmented packet disposition 

18 process. The packet to be classified and/or augmented is herein 

II referred to as the original packet. The resulting packet is 

%% referred to as the augmented packet. The disposition of the 

original packet is herein referred to as the first disposition, 

H and the disposition resulting from the augmented disposition 

23 process is herein referred to as the augmented disposition. 

24 Anything outside of the forwarding or interrupt context of the 

25 kernel is herein said to be external. 

26 An example embodiment has 7 steps to classify a packet and 

27 determine the augmented packet disposition. These steps are in 

28 the interrupt context except where noted. Steps 1-4 describe the 

10 
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1 packet classification process shown in Figure 5. Steps 5-7 

2 describe augmenting the packet disposition process. A flow 

3 diagram for these seven steps is shown in Figure 6. Refer to 

4 figures 5 & 6 for the following description. 

5 Step 1: After receiving a packet from the physical network, the 

6 Link Layer passes the packet to the root node 502. 
7 

8 In this step, a network driver receives a packet from the 

9 physical network, which it classifies based on frame type in 

10 the MAC header and passes it to the root node of the 

11 classification tree. 
12 

1=1 Step 2: The packet is passed to a first child node of the first 

|| level 521 of the classification tree, indicating a satisfaction 

Jjj of a node-criteria of the child node. 

16 The root node asks each child node from left to right whether 

11 the packet matches its node-criteria, until a child node's 

I! node-criteria is satisfied. The root node then passes the 

19 packet to that first child node which satisfies the 

% node-criteria and forms the data packet into a matched packet. 

23 In Figure 5, the root node 502 first passes the packet to the 

22 IPv4 node 503. A child node's node-criteria includes a set 

23 of code used to identify the packets desired. This set of 

24 code is implemented as a function referred to as the packet 

25 matching function {pm) 603. 

26 The input parameters to the pm function are: the PBUF, an 

27 operating system independent data structure containing the 
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1 packet, the options memory area, and a pointer to the packet 

2 filter node. The result of the packet matching function, 

3 indicating satisfaction or lack there of, of the child node's 

4 node-criteria, is of type pm_t. Figure 7 enumerates a sample 

5 group of type pm_t return code values 700. The packet 

6 matching function results indicating satisfaction of a child 

7 node's node-criteria include: Match_0K, Match_This, 

8 Mat ch_Dis card, and Match_Forward. The result indicating lack 

9 of satisfaction is N0_Match. 

10 The packet matching function may be as simplistic as matching 

11 a static fixed offset, such as the IPv4 node, or as complex as 

12 identifying the packets for applications which negotiate 
f| additional connections, such as FTP, Real-Audio and H.323. 
ll Unfortunately, since each of these application has its own 
|5 method for negotiating additional connections, application 
J! dependent nodes are required. This is as illustrated in 

I? Figure 8 for H.323 831, Real-Audio 832, and FTP 833. For each 

18 additional connection, a dynamic filter rule is created. These 

SI dynamic filter rules and other state information for the 

m negotiated connections are stored locally in the application 

U specific node. One implementation uses a hashtable structure 

|i for storing this data. Based on the well known services port 

23 and the application specific data, the packet matching 

24 function identifies the packets desired enabling application 

25 level classification. 

26 Step 3: Repeat the process of 'passing the packet' starting with 

27 a first child node of a next tree level of the classification 

28 tree which satisfies a node-criteria of that first child node, as 

12 
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1 described in step 2, and form the packet into a matched packet, 

2 until no child of a next tree level of the classification tree 

3 succeeds in satisfying a node-criteria (No_Match) . 

4 A determination is made if there is a next child 604. If 

5 there is, flow continues with 601. If not, flow continues 

6 with 621. Thus, when the packet matching function of all of 

7 the children nodes of the next tree layer result in a lack of 

8 satisfaction, (No_Match) , the packet is said to have fully 

9 traversed the classification tree. The traversal path is 

10 defined as the set of nodes from the root to the last first 

11 child node satisfying a node-criteria of the child node. Thus 

12 packet classification has completed and flow continues with 
H 621. 

f| Step 4: For each first child node, satisfying a node-criteria of 

15 the child node form the data packet into a matched packet. This 

jl may be performed as in steps 4A, 4B and/or 4C. 
!7 

J| Step 4A: The current node is added to the node 

jf traversal path 605. 

fl 

11 Step 4B: The node may execute a set of code, if such a 

22 code exists, which may parse and transform the 

23 packet 607. If the set of code exists, the packet 

24 is parsed and transformed 617. If not, flow 

25 continues with 609. 

26 Once a node's node-criteria is satisfied, the packet's 

27 traversal of the classification tree is limited to the 
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1 node's descendants. The remainder of the classification 

2 tree is not traversed. But before traversing a node's 

3 subtree, the node may execute a set of code. In the 

4 present embodiment, this set of code is referred to as 

5 the packet preprocessor function (pp) . The input 

6 parameters are the same as the packet matching function. 

7 This includes: the PBUF, an operating system independent 

8 data structure containing the packet, the options memory 

9 area, and a pointer to the packet filter node. The 

10 return code of the pp function is of type pp_t. Examples 

H of type pp_t 900 are enumerated in Figure 9. The packet 

12 preprocessor function may perform actions such as parsing 

13 a packet and transforming a packet. Parsing a packet 

f| generates information that may need to be made available 

[jjj to the node's descendants and ancestors. Transforming a 

jj packet takes place for example, when the IPSEC node's 

j| preprocessor transforms an encrypted packet into a 

l| decrypted packet. IPSec tunnel information and other 

19 information is created that can be used by other nodes in 

2$ the classification tree. 

y The present invention thus provides a generic mechanism 

5 for retaining or passing state information between nodes 

23 by a mechanism we referred to herein as options passing. 

24 In an example of option passing, an options memory 

25 segment is attached to each packet during its tree 

26 traversal. Each node may store and retrieve state using 

27 the APIs: fw_add_option, fw_next_option. Since a node 

28 may not understand all options that are passed to it, the 

14 
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node will process the options it understands and ignore 
those which it does not understand. 



3 Step 4C: The node may also suspend the classification 

4 process in order to obtain additional external information 

5 so as to augment packet classification and demultiplexing 

6 615. 

7 Suspending the classification process involves queueing 

8 any data, including information about the packet or its 

9 present classification, and transferring the data to an 

10 application that is scheduled outside of the forwarding 

11 or interrupt context of the kernel. 

13 One embodiment augments packet classification by 

|| suspending the packet classification process until the 

|4 application, scheduled outside of the forwarding or 

|| interrupt context of the kernel, completes. The 

j6 resulting external information is used to augment the 

\$ packet classification. 

tr — 

T$ Examples of applications which may augment packet 

ji classification include packet identification and 

20 authentication agents. An identification/authentication 

21 agent, may use s/ident for out of band identification and 

22 authentication. Authentication may use s/ident for out 

23 of band authentication in order to correlate the packet 

24 with a userid. Another example of authentication is to 

25 correlate a VPN tunnel id with a userid. 
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This external information, such as packet 
identification and/or authentication, permits packets to 
be handled differently. For example, assume that a site 
connected to the Internet is severely bandwidth limited. 
As a result only a limited number of employees at any 
given moment can run applications with high bandwith 
demands, such as streaming media. Based on the external 
information a site policy can be implemented which gives 
preferential treatment to a set of employees. 



10 Step 5: After packet classification completes, a set of code 

11 associated with the last child node which satisfied the 

12 node-criteria, is executed. 
f| 

Ijj In an embodiment, this set of code is referred to as the 

|1 packet action function (pa) . The packet action input 

II parameters are: the PBUF, a pointer to the node, a pointer to 

17 the node traversal path, and the options memory area. An 

18 example of return codes of the pa function, of type paction_t 
5i are enumerated in Figure 10 1000. The return code obtained 
t§ determines the packet disposition. 

S3 Normally the packet action function 621 monitors the packet 

22 data in order to obtain application specific state information 

23 used by the other node functions. For example, a packet 

24 action function with application specific knowledge could 

25 monitor the packet data for new negotiated data connections. 

26 These new dynamic connections are stored locally in the 

27 application specific node. The packet matching function uses 
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1 the dynamic data as part of the node-criteria for application 

2 level packet classification. 

3 Other examples of packet action function usage include: 

4 modifying packets, which may be used to implement NAT; 

5 queueing packets, which may be used to shape traffic; dropping 

6 packets, which may be used for rate limiting; and redirecting 

7 packets, which may be used for load balancing. 
8 

9 The packet action function may also suspend kernel packet 

10 processing and transfer any data (including information about 

11 the packet or its classification) to an application that is 

12 scheduled outside of the forwarding or interrupt context of 
f| the kernel, and/or to obtain external information in order to 
jj augment the packet disposition (i.e. discard, forward, process 
|5 locally or redirect) decision 631. Suspending the packet 

J! disposition decision process involves queueing any data, 

17 including information about the packet or its classification, 

18 and transferring the data to an application employing a 
ii process specific means that is scheduled outside of the 
£fi forwarding or interrupt context of the kernel. 

JJ An example method of augmenting the packet disposition 

22 decision is to suspend any in progress packet disposition 

23 decision process until the application scheduled outside of 

24 the forwarding or interrupt context of the kernel completes. 

25 The resulting external information is used to augment the 

26 packet disposition decision. Examples of applications which 

27 may augment the packet disposition decision are policy 

28 enforcement and content filtering agents based on any 
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1 combination of the packet classification, identification and 

2 authentication. Examples of process specific means include 

3 s/identd and external LDAP servers. 

4 Once the application completes, it passes the original data, 

5 the external information and the results to the kernel, which 

6 issues a call to the node's callback function. The callback 

7 function (cb) reinserts the packet at the node which suspended 

8 the processing. Based on the application's results, dynamic 

9 rules may be created 621. 

10 For example, an especially advantageous usage is with VPN 

11 tunnels. Differing policies based on the VPN callee are 
f| enforceable using dynamic rules. With application level 

jl classification, these rules are no longer limited to fixed 

fj pattern matches, such as protocol, but may be written in terms 

15 of applications. An example of an application level rule 

16 would be 'permit John Doe Real-Audio' . Application level 

17 rules would also simplify firewall rule definitions in 
\i firewall applications. 

Jl Step 6: After the set of code associated with the last child 

W node, which satisfied the node-criteria (referred to as the 

21 packet action code) completes, a set of code associated with each 

22 node in the node traversal path, is executed 623. 

23 In the present embodiment, this set of code is referred to as 

24 the packet post processor function (px) 625. The packet 

25 postprocessing input parameters are the PBUF, the options 

26 memory area and the packet action disposition. The return 
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1 code of the px function is of type paction_t. Examples of 

2 type paction_t are enumerated in Figure 10. 

3 Just as the packet preprocessing may decrypt a packet, the 

4 packet postprocessing may perform actions such as encrypting a 

5 packet 627. As the packet originally traversed the 

6 classification tree, the node traversal path was created. 

7 Before returning to the base operating system, in reverse node 

8 traversal order, packet postprocessing is executed. 

9 Normally, the packet disposition is maintained through 

10 postprocessing. Only in unusual circumstances does the 

11 postprocessing not follow the recommended packet action and 
jl previous post processing disposition. For example, with VPN 

15 tunnels the outbound tunnel may have been torn down during the 
Jl classification tree traversal. 

|| Step 7: After the packet processing completes, control returns to 

16 the base operating system, which discards, forwards, redirects or 
15 locally processes the packet, based on the final disposition 633. 

Jl)$ Figure 11 shows an example embodiment of the present invention 

ft! as an apparatus to classify and/or augment the disposition of a 

20 data packet shown in Figure 11. The apparatus includes a network 

21 interface device (1101) to receive a packet from the physical 

22 network and; pass the packet to a root node of a classification 

23 tree, and the reverse, to receive a packet from the root node and 

24 send a packet to the physical network. The apparatus also 

25 includes a packet module (1103) to successively pass the packet 

26 from child node to child node on each tree level until a first 
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1 child node of a tree level of the classification tree indicates a 

2 satisfaction of a node-criteria of that first child node. The 

3 first child node forms the data packet into a matched packet 

4 until no first child node of a next level at a succeeding next 

5 level indicates satisfaction of the node-criteria of the first 

6 child node of the next level. 

7 It is noted that an accelerator chip can be used to implement the 

8 packet module (1103) . This chip can be used as the basis of a 

9 firewall box, a border server, or as an application level 

10 classification system such as needed when diagnosing high speed 

11 networking problems. 

O Other apparatus embodiments of the present invention may be 

|j implemented in ways known to those familiar with the art. For 

H example, the invention may be implemented using an apparatus for 

|| classifying a data packet. This apparatus includes: means for 

11 receiving the data packet at a root node of a classification 

17 tree; means for successively passing the data packet to each 

II child of a first tree level until a first child node of the first 

11 tree level of the classification tree indicates a satisfaction of 

\A a node-criteria of said first child node, and the first child 

W node forming said data packet into a matched packet; and means 

22 for repeating the steps of passing and forming for a next tree 

23 level until no first child node of said next tree level at a 

24 succeeding next level indicates satisfaction of the node-criteria 

25 of said first child node of said succeeding next level. This 

26 apparatus may, for example, be in the form of a floppy or hard 

27 disk, flash memory, or external magnetic media, etc. 
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1 Another example embodiment of the present invention is an 

2 apparatus for determining disposition of a packet received at a 

3 child node. This apparatus includes: an interrupt context of a 

4 control program, with the child node existing within the 

5 interrupt context; an external process outside of the interrupt 

6 context of the control program; means for passing said packet and 

7 a first disposition of said packet to the external process, the 

8 external process to augment the packet disposition by employing a 

9 process specific means and to return an augmented packet with an 

10 augmented disposition to the child node; and the interrupt 

11 context including means for receiving the augmented packet and 

12 the augmented disposition from the external process. This 

13 apparatus may, for example, also be in the form of a hard disk, a 
U floppy disk, or external magnetic media, etc. A control program 
fl may be implemented as software that manages the example 

16 apparatus . 

if The present invention can be realized in hardware, software, or a 

|8 combination of hardware and software. The present invention can 

t| be realized in a centralized fashion in one computer system, or 

20 in a distributed fashion where different elements are spread 

M across several interconnected computer systems. Any kind of 

P computer system - or other apparatus adapted for carrying out the 

23 methods described herein - is suited. A typical combination of 

24 hardware and software could be a general purpose computer system 

25 with a computer program that, when being loaded and executed, 

26 controls the computer system such that it carries out the methods 

27 described herein. The present invention can also be embedded in 

28 a computer program product, which comprises all the features 

29 enabling the implementation of the methods described herein, and 
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1 which - when loaded in a computer system - is able to carry out, 

2 or cause the carrying out of these methods. 

3 Computer program means or computer program in the present context 

4 mean any expression, in any language, code or notation, of a set 

5 of instructions intended to cause a system having an information 

6 processing capability to perform a particular function either 

7 directly or after either or both of the following: 

8 1. conversion to another language, code or notation; and/or 

9 2. reproduction in a different material form. 

10 It is noted that the foregoing has outlined some of the more 

If pertinent objects and embodiments of the present invention. The 

ti concepts of this invention may be used for many applications. 

if Thus, although the description is made for particular 

fl arrangements and methods, the intent and concept of the invention 

15 is suitable and applicable to other arrangements and 

|6 applications. For example, although reference is made to a data 

If packet, the invention is similarly applicable to a non-data 

jl packet. It will be clear to those skilled in the art that other 

If modifications to the disclosed embodiments can be effected 

|| without departing from the spirit and scope of the invention. 

21 The described embodiments ought to be construed to be merely 

22 illustrative of some of the more prominent features and 

23 applications of the invention. Other beneficial results can be 

24 realized by applying the disclosed invention in a different 

25 manner or modifying the invention in ways known to those familiar 

26 with the art. Thus, it should be understood that the embodiments 
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1 has been provided as an example and not as a limitation. The 

2 scope of the invention is defined by the appended claims. 
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1 CLAIMS 



2 Having thus described our invention, what we claim as new and 

3 desire to secure by Letters Patent is as follows: 

4 1. A method for classifying a data packet, the method 

5 comprising: 

6 receiving the data packet at a root node of a classification 

7 tree; 

8 successively passing the data packet to each child of a first 

9 tree level until a first child of the first tree level of the 
i| classification tree indicates a satisfaction of a node-criteria 

jj of said first child, and the first child forming said data packet 

if into a matched packet; and 

13 repeating the step of passing and forming for a next tree 

|4 level until no first child of said next level at a succeeding 

l| next level indicates satisfaction of the node-criteria of said 

i§ first child of said next level. 

s . i 

JJ 2. A method as recited in claim 1, wherein the step of passing 

18 includes executing a set of code which returns a status 

19 indication. 

20 3. A method as recited in claim 1, wherein the step of forming 

21 includes the first child specifying a set of code to be run 

22 subsequently. 
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1 4. A method as recited in claim 3, wherein the step of 

2 specifying includes specifying the set of code to be run 

3 following satisfaction, 

4 5. A method as recited in claim 1, further comprising 

5 dynamically adding at least one node in at least one level of the 

6 classification tree. 

7 6. A method as recited in claim 5, wherein said at least one 

8 new child node is a Real Audio node. 
9 

10 7. A method for classifying a packet, said method comprising 

11 suspending a packet classification process in progress for said 
II packet; and obtaining external information employed in said 

|1 classifying, 

}| 8. A method in claim 7 , wherein the step of obtaining includes 

15 augmenting a node-criteria of a node in a classification tree 

|6 with external information. 

II 9. A method as in claim 8, wherein the external information 

|f includes identification of the originator of said packet. 

19 10. A method as in claim 8, wherein the external information 

20 includes authentication of an originator of said packet. 

21 11. A method as recited in claim 7, wherein the classification 

22 process is an extendible classifier process. 
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1 12. A method as recited in claim 1, further comprising the step 

2 of parsing said matched packet and generating relevant 

3 information. 

4 13. A method as recited in claim 1, further comprising the step 

5 of transforming said matched packet into a transformed packet. 

6 14. A method as recited in claim 1, further comprising 

7 associating the packet with a last first child indicating 

8 satisfaction. 

9 15. A method as recited in claim 14, further comprising 

10 executing a set of code in accordance with said last first child. 

11 16. A method as recited in claim 1, further comprising 
li determining a disposition of the data packet. 

14 17. A method for determining disposition of a packet received at 

15 a child node, said method comprising: 

IB passing said packet and a first disposition of said packet to an 

If external process; and 

18 said external process augmenting the packet disposition by 

19 employing a process specific means; and returning the augmented 

20 packet and an augmented disposition to the child node. 

21 18. A method as recited in claim 17, further comprising 

22 suspending a disposition process in progress for said packet. 
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1 19. A method as in claim 18, wherein the augmented disposition 

2 includes identification of an originator of said packet. 

3 20. A method as in claim 18 wherein the augmented disposition 

4 includes authentication of an originator of said packet. 

5 21. A method as recited in claim 18, wherein the disposition is 

6 employed for policy enforcement. 

7 22. A method as recited in claim 16, further comprising 

8 employing the classification process as a firewall. 

9 23. A method as recited in claim 1, further comprising employing 
i9 the classification process for application level classification. 

ll 24. A method as recited in claim 23, further comprising 

p employing the classification process for policy enforcement. 

jl 25. A method as recited in claim 23, further comprising 

U employing the classification process for rate limiting. 

ii 26. A method as recited in claim 23, further comprising 

|1 employing the classification process for load balancing. 

17 27. A method as recited in claim 1, further comprising employing 

18 the classification process to shape traffic . 

19 28. An apparatus to classify a data packet, the apparatus 

20 comprising: 
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1 a network interface device to receive the data packet from the 

2 physical network and pass the data packet to the root node of a 

3 classification tree, and the reverse, to receive the data packet 

4 from the root node and send the data packet to the physical 

5 network; 

6 a packet module to successively pass the packet from child 

7 node to child node at a next tree level until a first child node 

8 of the next tree level of the classification tree which indicates 

9 a satisfaction of a node-criteria of the first child node, and to 

10 form the data packet into a matched packet until no first child 

11 node of at a succeeding next level indicates satisfaction of the 

12 first node-criteria of the first child node of the succeeding 
11 next level . 

1§ 29. An apparatus as recited in claim 28, wherein a portion of 

II the apparatus is implemented as an accelerator chip. 

J6 30. An apparatus as recited in claim 28, wherein the apparatus 

II is employed for application level classification. 

if 31. An apparatus as recited in claim 28, wherein the apparatus 

|| is employed as a firewall. 

20 32. An apparatus as recited in claim 28, wherein the apparatus 

21 is employed as a border server. 

22 33. A method as recited in claim 2, wherein the status 

23 indication is of the pm_t type. 
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1 34. An article of manufacture comprising a computer usable 

2 medium having computer readable program code means embodied 

3 therein for causing classification of a data packet, the computer 

4 readable program code means in said article of manufacture 

5 comprising computer readable program code means for causing a 

6 computer to effect the steps of claim 1. 

7 35. An article of manufacture as recited in claim 34, the 

8 computer readable program code means in said article of 

9 manufacture further comprising computer readable program code 

10 means for causing a computer to effect dynamically adding at 

11 least one node in at least one level of the classification tree. 

t2 36. An article of manufacture comprising a computer usable 

U medium having computer readable program code means embodied 

W therein for causing classification of a data packet, the computer 

|B readable program code means in said article of manufacture 

1§ comprising computer readable program code means for causing a 

17 computer to effect the steps of claim 8. 

J| 37. A computer program product comprising a computer usable 

!J) medium having computer readable program code means embodied 

If) therein for causing a determination of a disposition of a packet, 

21 the computer readable program code means in said computer program 

22 product comprising computer readable program code means for 

23 causing a computer to effect the steps of claim 

24 18. 

25 38. An apparatus for classifying a data packet, the apparatus 

26 comprising: 
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1 means for receiving the data packet at a root node of a 

2 classification tree; 

3 means for successively passing the data packet to each child 

4 of a first tree level until a first child node of the first tree 

5 level of the classification tree indicates a satisfaction of a 

6 node-criteria of said first child node, and the first child node 

7 forming said data packet into a matched packet; and 

8 means for repeating the steps of passing and forming for a 

9 next tree level until no first child node of said next tree level 
10 at a succeeding next level indicates satisfaction of the 

l| node-criteria of said first child node of said succeeding next 

|j level. 

S3 39. An apparatus for determining disposition of a packet 

4=4 received at a child node, said apparatus comprising: 

|| an interrupt context of a control program, said child node 

SB existing within the interrupt context; 

|j an external process outside of the interrupt context of the 

18 control program; 

19 means for passing said packet and a first disposition of said 

20 packet to the external process, said external process to augment 

21 the packet disposition by employing a process specific means and 

22 to return an augmented packet with an augmented disposition to 

23 the child node; and 
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said interrupt context including means for receiving said 
augmented packet and said augmented disposition from said 
external process. 
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NETWORK DATA PACKET CLASSIFICATION AND DEMULTIPLEXING 



Abstract 



3 The present invention provides methods and apparatus for 

4 classifying and demultiplexing packets in a network protocol 

5 stack. It provides extendibility for packet processing in the 

6 network protocol stack by defining a standard method for adding 

7 new functionality. It provides a method to obtain external 

8 information, from an application scheduled outside of the 
!~8 forwarding or interrupt context of the kernel, in order to 

II augment packet classification and/or augment packet disposition, 

ll In some embodiments, external information augments a criteria of 

ii a node in a classification tree with additional information. It 

|| presents a way of augmenting which suspends the classification 

14 process until an application, scheduled outside of the forwarding 

If or interrupt context of the kernel, completes. The resulting 

16 external information is used to augment the packet 

|f classification. In some embodiments of the method, the external 

II information includes authentication of an originator of the 

19 packet by correlating a tunnel id with a userid, and/or using 

20 s/ident for out of band authentication. The classification 

21 process enables enforcement of a site policy. 
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No Match - Didn't match the packet; continue normal tree traversal 
Match OK - Matched the packet; continue normal tree traversal 
MatchJThis - Matched this node; execute the jacket action code immediately 
MatchJDiscard - Matched the packet; immediately discard the packet 
Match .Forward - Matched the packet; immediately forward the packet 
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PP_NotOK - Stop tree traversal 
PP_OK - Continue tree traversal 

PPJDiscard - Immediately stop traversing the tree; discard the packet 
PPJForward - Immediately stop traversing the tree; forward the packet 
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OK_Discard - Reverse traverse the tree for postprocess; 

recommend to discard the packet 
OK_Forward - Reverse traverse the tree for postprocessing; 

recommend to forward the packet. 
Stop J?iscard - Discard the packet immediately without reverse traversing the tree. 
StopJFbrward - Forward die packet immediately without reverse traversing the tree. 
OKJLocal - Accept the packet locally. 
OKJRedirect - Redirect the packet to a foreign host. 
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